What is GDPR UK?

Published on : 22 Sep 2021

What is gdpr uk

After the Brexit, there is a lot of confusion over the understanding of the new GDPR UK Regulation. After the withdrawal of the United Kingdom from the European Union, UK is no more regulated by the EU’s General Data Protection Regulation. Instead, it has its own new regulation that governs the processing of the personal data of citizens of the UK. The UK-GDPR is the new regulation that has come into effect since January 31st, 2020. So, with this, all the UK organizations that process personal data are now required to comply with the new regulation.

Further, along with the UK GDPR, organizations will also have to comply with the Data Protection Act of 2018 and the PECR that governs all the processing of personal data from individuals located in the United Kingdom. With this new political development, it has a significant impact on businesses in the UK, EU, and business around the world. Explaining in detail about the new regulation, let us today learn what is GDPR UK and how it impacts businesses in UK, EU, and globally. 

What is UK GDPR Regulation?

The United Kingdom General Data Protection Regulation (UK-GDPR) is the new data privacy regulation that governs the processing of the personal data of citizens of the UK. The UK-GDPR was enforced post the withdrawal of the UK from the EU. This resulted in the existing EU GDPR Regulation not applying to businesses of the UK any longer.

Although most of the GDPR is retained in the domestic law under the new “UK GDPR Regulation” with some significant amendments and the need to comply with the Data Protection Act of 2018. So while the key principles, rights, and obligations remain the same under the new law. However, there are implications for the rules on transfers of personal data between the UK and the EEA. Let us understand to whom does the new regulation applies and how does it impact businesses. 

Who does the UK GDPR apply to?

The UK General Data Protection Regulation (UK GDPR) applies to both data controllers and data processors within the UK. It also applies to organizations outside the UK that offer goods or services to individuals in the UK or monitor the behavior of individuals in the UK. Moreover, there are implications for UK Businesses as well who have an establishment in the EEA, and have customers in the EEA, or monitor individuals in the EEA.

Such businesses will have to comply with EU GDPR regulations. However, it is important to note that the UK GDPR does not apply to the personal data processed by authorities for law enforcement purposes or for safeguarding national security or defense, Also, in case the processing is purely personal or household activity, with no connection to a professional or commercial activity then the regulation is not applicable. Given below are some details of exemptions from UK GDPR.

Exemptions from UK GDPR

Under certain circumstances, the Data Protection Act 2018 provides an exemption from particular UK GDPR provisions. These exemptions include for-

  • crime, law, and public protection
  • regulation, parliament, and the judiciary
  • journalism, research, and archiving
  • health, social work, education, and child abuse
  • finance, management, and negotiations
  • references and exams

Whether or not organizations can rely on these exemptions greatly depends on the reason behind them processing personal data.

How is GDPR UK different from GDPR EU?

UK GDPR majorly remains to be the same as the EU GDPR. The key principles, rights, and obligations remain the same as the EU GDPR until there are any further updates on them. However, there are certain amendments and additions in the new regulations only to accommodate the domestic areas of law. So, let us learn how the UK-GDPR expands and changes the European GDPR. 

  • The areas expanded by the UK-GDPR include National security, Intelligence service & Immigration. These areas are new additions or rather outside the scope of the European GDPR. The UK-GDPR sets out certain exceptions by which the regular protection of personal data can be bypassed when it is a matter of national security or matters of immigration. The same requirements are applicable for the collection and processing of personal data to the intelligence services. 
  • Another major amendment to the UK-GDPR is that, the Information Commissioner which is the leading data protection authority in the UK we be the supervisory and regulatory authority ensuring the enforcement of the UK-GDPR. So, the ICO now takes over all the matters relating to regulation and enforcement of the UK-GDPR. Additionally, the Secretary of State is bestowed with powers to determine or revoke adequacy decisions on behalf of the UK-GDPR and this decision can be taken without the consultation of the ICO.
  • EU companies offering services in the UK need to appoint a representative, as required by UK Businesses based out in the EU requiring an EU representative for the EU GPDR. So, as stated in the UK GDPR Regulation, a representative can be defined as “a natural or legal person established in the United Kingdom who represents the controller or processor.”
  • The UK-GDPR automatically recognized all EU countries as adequate, along with recognizing all existing EU adequacy decisions as to the UK. So this simply means that personal data can continue to flow from the EEA to the UK, without the need for organizations to use SCCs or other means of ensuring that appropriate safeguards apply. 
  • Further, the UK Data Protection regime will be deemed adequate for four years, after which the adequacy findings will be renewed only if the UK continues to ensure an adequate level of protection to the EU residents’ personal data in line with the EU GDPR. If UK data protection law deviates from the EU GDPR to a significant extent, the Commission may eventually withdraw the decision.
  • Another notable difference from the EU GDPR to the new UK-GDPR is lower the age limit or rather the validity of consent to 13 years in the UK from 16 years in the EU.


As we see, there are just a few changes introduced in the new GDPR UK regulation. So, if organizations have been complying with EU GDPR requirements, implementing UK GDPR requirements will not be a huge task for organizations. This is mainly because most of the requirements are identical. Just that the organization may need to adapt certain rules and documentations in line with the new UK GDPR and mention the same in their documents.  Organizations can always consult an expert for clarity and easy transition from the EU GDPR to UK GDPR. VISTA InfoSec is a global cybersecurity consulting firm having compliance experts to help organizations with such compliance transitions. Our team will hand-hold you in the entire process and ensure compliance with the applicable regulation based on the processing activity and location. For more details on the new UK GDPR Regulation or assistance in compliance, you can drop us a mail at info[@]vistainfosec.com

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.